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I used to think, zasu!
I'm Enrique Sanchez. I work for a pen testing company in Europe.
Basically what we're going to do here is just a proof of concept.
There are a couple of things I want to say before the speech.
One, I like to conduct this more question and answer panel.
I unfortunately lost my glasses in a really freak drunk accident.
So these guys are here.
If you raise your hand.
And I don't point you.
It's not because I don't like you.
I just don't see you.
I can barely make his face.
I'm for real.
No, I actually managed to lose the glasses in an airport in London.
I have no idea how I did it.
I think it was like the 15 Guinness.
I don't know, something weird like that.
So first what I'm going to do is I'm going to stand up because I'm extremely short.
I like to be standing up.
It's just something with my culture, I guess.
Stand up.
Fuck you.
He just said stand up.
Yeah, I am Mexican.
No green card, dude.
Just no green card.
I'm just running for the border right after.
You want to show your ID?
Yeah.
I have it right here.
So the thing is.
I'm going to show first what's an ID system because maybe not a lot of people actually do know what's an ID system.
This is not the textbook definition but it's the best thing that I can actually tell you so you will comprehend what's a really basic ID system.
It's just a system that will report any activity that could be malicious and can compromise any server or any network in any way.
Any questions?
Yeah.
Yeah, that's what I thought.
Can I guess?
I'm not telling you.
So how does the ID system work?
Basically an ID system is just a really big sniffer.
So what you have is you sniff the network, which is just read every single packet that goes there.
You filter everything via patterns.
This will be a signature-based ID system.
You also have anomaly filters, which is you just have signatures, which are anomaly filters.
This is basically traffic going to your network.
Signature is just a filter.
To say something is not really normal to see an FTP password 3,000 characters long.
At least I really don't know somebody who will put a really long book into his password.
So anything over maybe 15, you can do an IDS system signature to flag it as a possible attack.
This is a proactive way.
You really don't know in the IDS system.
You really don't know if the attack actually succeeded.
Go back, dude.
I haven't finished the reports.
So the thing is they also elaborate reports.
Why I'm doing this, because after this, I'm going to tell you what kind of IDS systems are out there.
This can be divided in host-based and network-based.
On this one, we're going to be attacking the network-based IDSs.
Examples of IDSs are Snort, Dragonfly, Real Secure.
And On Guard 24.
You have more of them, of course.
But these four can actually take up on the two selective categories.
So why I say that?
What I'm saying right now is an IDS system is just like a hack system.
Why do I say that?
The thing is the only thing that changes is who's in control of that server.
Why?
They both sniff the traffic.
They both are looking for patterns.
The hacker will look for the passwords, the login names, the connections.
And you will look for weird connections, and you will look for signature-based attacks.
And, of course, you always have signatures, and you have traps and actions that you want to take.
In the case of a hacker, if you see a login and a password, you log into a file.
Of course, you can even do more than log into a file.
You can actually execute a couple of programs to be able to even get automatically into the data.
If you are on an IDS system, what you will do, you will probably send an SNMP trap, or you can even do an SMS,
or you can do logging into a file, send a mail, anything that you want to do.
Is it really that bad that they look like?
Not really, because hackers have been pushing the security for years.
They are in the front, and you're just trying to catch back.
That is the reality.
Most people don't like it, but that is that way.
You have to just be realistic with yourself.
So what's this there?
DITSE, and I put that name not because it's really cool.
It's really long to say.
Distributed Intuition Detection System Evasion.
And I only have one hour.
So the thing is, this is a result of just reading through a couple of stuff and trying things.
So what you do is, you do an analysis of the implementation.
The implementation on the network, the host, and the IDS system.
And it's the result of the weakness of the link between these.
This software will actually bypass.
If you have the network characteristics, it will bypass your IDS system.
It will not log anything at all.
So how does it work?
The thing is, an IDS runs on a host.
You know?
So maybe the IDS system can go to a real host.
It's really high.
But you always have a weak link of if your host is not really fast enough, it will drop packets by itself.
Those packets can never be seen by the IDS because it's not really on level one.
So there are a couple of principle elements that can be attacked on an IDS system.
The way they reassemble packets, which will be insertion, innovation, the time of the queue,
and signature-based attack, and of course the speed of the network.
The first three, they have been done, and they're usually fairly picked up by IDS systems.
The usual dot attack, fragmentation attack, one-bit attacks.
So how does this thing work?
The thing is, this attacks the last one.
It will do the speed of your network against the speed of your IDS system.
You can implement the fastest IDS system you can have.
It can even go to giga if you want to.
If you have a really slow system and cannot take your network,
you will be in serious trouble against this.
How do I know if I'm vulnerable to this?
I got a little bit tired because it's really hot, so I'm going to sit down a little bit.
So what you need to do is just this really simple calculation
of how many packets can take your IDS system.
And I don't mean on the book.
I mean honestly, how many packets can your IDS system take?
How many packets can your system take?
And how many packets can your network base take?
So the thing is, you need to find the wicked link,
and that is where your point of breaking is.
If your host or your IDS system have a breaking point lower than your network,
then you will be in trouble.
Do you guys have any questions?
Yeah, of course, it has to actually go into the network.
You can't break it into the firewall.
You can do a couple of tricks.
You know, like maybe do like same source port destination.
Like destination port 80, source port 80.
So you will force it to leave, to be on the IDS queue.
So you know the host and the IDS are being flooded.
Okay.
We can repeat the questions.
Okay.
Okay.
The smallest packet that you really can send is around 20 bytes.
Normally, if you do a normal socket, it will be around 46.
You can even do one, but that will probably be blocked by the firewall.
You want to make sure that every single packet is going through the firewall.
You can, of course, do advanced more things, which I'm going to say like proxying.
But right now, we're going simple.
So we want to bypass the firewall.
The queue limit for the host can also be attacked,
and the queue for the IDS will be attacked.
So this is an example.
Let's say, for instance, that 50,000 packets is the limit for a host, which is a lot.
An IDS system can go to 20 megabit.
But the network is a corporate one, so you have a 100 megabit connection.
And I can pretty much see that since you don't have the equal one,
you can pretty much see right now that you are probably in trouble.
So these are the facts, and the calculations are,
you have 50,000 packets times 20 bytes, not the megabit, just the bytes.
So you will get a million bytes.
You're multiplying by 8, so you get the megabit,
so you don't start adding up like apples and oranges.
So then you do the translation.
You have 8 megabits against 100 megabytes.
So this IDS is in extreme trouble.
Actually, if you were on a 10 megabit,
you would still be in trouble.
So here's how the attack is going to go.
To be sure that we will have enough probability of dropping the packets,
we will send 60,000 packets per second,
which will be almost 10 megabit.
It will be 9.6.
It means, like I said before, the IDS is extremely vulnerable,
but this arises the question of,
how many attackers do have a pure 10 megabit
to just drop an attack like this on my corporate network?
So the solution is, you distribute the attack.
The hacker goes in there, gets 500 servers.
It's the whole internet.
I'm pretty sure that 500 servers right now
still run the WooFTPD 2.6.0.
Why not?
I mean, if you prove me otherwise,
I'll get you drunk for a week.
So the thing is, you end up having only 200 packets per host,
which is only 32,000 bits.
That's a modem connection.
So we just added up the whole internet to this attack.
So it really doesn't matter
if you have a Linux computer running on a modem.
The hacker can actually use that
to hack into a big corporate network.
Actually, just going to leave it here for a while.
Anybody has a question?
I was thinking...
Are you going to be showing any examples on how to...
Like working code?
Well, not necessarily working code,
but examples on systems that you're using to make games.
Well, it's just basically one extreme technique.
It's just an implementation.
I have working code,
but for security reasons, I will not show it.
I mean, I have a conscience. I'm sorry.
But the thing is,
the only trick that you need to do
is you make sure that everything is load balancing by itself.
You can do this by ICMP.
You ping one host behind.
You ping the router,
or you can even do TCP pinging.
And what you do is
you centralize everything on a server,
like this laptop.
And everything else is reporting.
Every 35 seconds is reporting here.
A normal synchronized attack will be five minutes.
You let it rip for three minutes.
You send the attack.
You wait for two minutes.
The host will be flooded,
and it will start dropping packets.
Like I said, it's a...
I know it's fairly simple.
Theory.
There's not really a big magic,
but every single IDS with the right configuration
is vulnerable to this,
and it's really hard to patch it up.
As this is...
This could be implemented even with DDoS tools,
like Trino.
You could modify that.
Of course, that was on UADP,
but you can easily implement it on TCP.
I can't see on the back.
You're good.
I'm okay.
Nobody asking.
That's kind of cool,
because I'm going too fast now.
No, it's okay.
So these are the problems that I was saying before.
It's hard for a hacker
to have a 10 megabit connection law by himself.
So what you do is just divide.
You really have to think of how much you want to divide,
because managing 500 hosts is not going to be funny.
And, of course, it's going to take you a long time
to actually do a program like that.
So staying around 200, maybe 300, is the right idea.
You could actually implement this as a Linux kernel module.
You could make it load.
You can make it actually listen to magic strings.
You can do all the right techniques,
but the theory is the same.
You need to open a socket and send everything spoofed.
I was maybe thinking of doing a real-life example
with three persons from the audience.
The thing is, I got wasted extremely yesterday.
So I didn't manage to get the 1,000 papers
I was going to hand you.
And it's 110 degrees,
so I didn't believe that anybody would just stand here.
Of course, we can actually try to do it if you want to.
Get a couple of papers and scream at each other.
So this is the thing.
Is it really doable in reality?
Like I said before, working code exists.
It really doesn't manage 300 servers because it's tight.
But I have managed to actually make it work in the lab
with 50 servers.
So shoot me, it's not that bad.
So now it's broken.
What can I do with this?
Well, the solution is easy.
You should never go over the breaking point
of your IDEA system.
I know it's really cool to have a 100 megabit connection,
but even in money-wise,
do you really need a 100 megabit connection?
Most corporate positions don't.
Most companies don't anyway.
You need to make sure that since your network is scalable,
that your IDEA system is.
All NFR systems are scalable in the hardware area.
There's a hardware solution to actually be scalable,
so you're invulnerable to this attack.
You have software like Snornet,
which will also do it on level 3.
Layer, actually, level 7.
So it will be a little bit slower,
so you would end up with a big machine anyway.
You need to do stacking and load balancing.
And of course, you need to take unusual network picks
extremely seriously.
You need to configure your firewall wisely.
And do you really have that much traffic at 3 a.m. anyway?
I mean, unless there's a guy just pulling down wires
or DVD rips.
You're probably not.
So that was an extremely fast thing.
It's probably because I'm extremely nervous.
Do we have any questions?
Yes, because the thing is,
what you actually can do is...
Okay, he's asking that if I'm going to float the network so bad,
if I'm sure that the host is actually going to receive my attack.
So the answer is,
you have a really high probability,
because maybe like 80, 85% of the packets
you do not send them to the host,
because you want to float the IDS system.
You don't want to float the host.
And you really don't want...
You really don't need to send all the packets to the host.
The IDS is going to read them anyway,
because he's sniffing the network.
When you're doing this,
what's to ensure that your attack
is actually the packets dropped
versus the regular data traffic
that you are using the IDS with?
You mean like how I'm actually making sure
I'm getting 60,000?
60,000 packets and your IDS read 50,000.
What's to ensure that your attack goes to that 10,000 that's dropped?
And what if it goes to that 50,000 that's read?
He's asking how do I know it's 60,000,
how I make sure that every single thing that I'm running
is actually getting 60,000 packets into the network.
You can do this with TCP pinging, load balancing.
My question is,
if your IDS system can...
If you go and read only 50,000,
and you're sending 60,000 packets in,
or 80,000,
and you're doing your attack also at the same time,
what's to ensure that your attack
is actually when they drop packets?
You're just playing with probability in there.
I mean, it's not...
This way you have to double or triple
the amount of the IDS triangle
to actually get a reasonable amount of accuracy.
I'm sorry?
This way you have to double or triple
the amount that a packet you're sending
that the IDS can handle
to ensure that your attack...
You know, the reasonable ability
to actually get through
and not be detected by the IDS.
Yes, but the thing is,
now IDS systems are extremely efficient,
but the hosts are not.
I mean, I don't want to bash any OS,
but, I mean, the one I'm right now,
it doesn't really take 10 megabits on the really kind.
So, yes, you're just playing with probability.
The thing is, you only alarm the IDS,
like, five minutes, and you...
Right now, I'm just taking, for instance,
50,000, and I'm just going 10,000
just to make sure that 10,000 packets get dropped.
If you're gonna do this real,
you probably have to do it like you said.
You probably have to do, like, even triple to make sure.
And even then, you will have maybe, like, 15 to 20%,
just to say something on my test.
It will get picked up anyway.
And this will attack.
If you don't have an anomaly filter,
if you have an anomaly filter
of anything going over 20,000,
20 megabits, anyway,
this should be picked up anyway.
What's the difference in this type of invasion
from a single IDS to a distributed IDS?
No, no, what I'm actually doing
is distributing my attack.
Wow.
Let's go that way.
Will the RMPs, two, one, three,
anything prevent?
No fear or...
Uh, he's asking.
I mean, if the ISPs or the T1s
are doing anything to prevent this type of attack.
Not really.
I mean, that is the bad thing.
And you really can't handle this much.
Okay.
.
He's saying that if you're aware of this,
can you handle it in a way
that you can block all the attacks?
Not really.
You can spoof every single packet
if you want to with random numbers
as long as they are within the Internet,
the rootable.
So you either let them go through
until a certain point
or get your separate for an DOS attack.
Because if you start...
If you start blocking every single packet,
then I'm going from 0000 to 2555.
Everything's gonna be blocked.
Yes?
.
.
.
.
.
.
.
.
Um, there is actually a tool called Stick
that, uh, does the reverse of this.
Uh, it sends so many alarms
that the IDS gets, uh,
or you really don't know if the attack is there.
But the thing is, then you know you're being attacked.
This is more of the thinking of,
you will get a five minute peak warning
and you really don't know if somebody attacked you,
you had a lot of people going into your web server,
or exactly what.
This is, it's really more silent,
but it can also be done in the other way.
He's asking if I'm just sending garbage.
Garbage, yeah, pretty much.
I mean, actually you try to be really small packets,
just since everything that doesn't get filtered
for the firewall, a couple of tricks.
You can go down to one byte TCP,
so you know it's gonna pass the firewall.
You go the same source port and destination,
and if they have a really bad firewall,
you really, really, really wanna make the idea system slow,
you spoof the server request
with the same source port and destination.
So the idea system is not gonna know
if the web server has initiated the connection
or the outside, so it just has to hold on to it
until the time's out, which is really long.
That only happens if you are a SYN-based firewall.
Yep.
Yeah, he's asking if I've done it against
some IDSs.
Yes, actually, I've done it about all commercials,
most all commercials that I can get my hands on.
This is not an implementation.
This is more of a theoretical thing.
It's not really the IDS system fault.
I mean, you can go into Higa if you want to.
The host is gonna break, and if you have a really fast host
and the IDS breaks, well.
But I mean, I can assure you right now,
the biggest problem is the host is breaking.
At least on my tests.
He's asking if the solution is to have a host really beefy
and IDS really beefy and hooking up to the network.
If you have a big network, yes,
or you can stack your IDS.
You can make it low hardware balance, like NFR.
Like I said before, NFR has an implementation on that.
Really don't know if like Real Secure or the other ones
actually do have an implementation on that.
I know they can load balance on level seven, you know.
But I mean, that makes it also slow,
so you're putting yourself in a position in which
then I'm attacking the CPU power that you will have,
not only the network.
Hold on a second.
Okay, can you repeat the question?
Top-lay goes to a switch,
and some flyers, or something?
Sorry, I just died, like,
from the traffic to Daentium.
Not really.
So I mean, it's like, I'm just here to tell you, I really am.
I really don't have all the questions.
I really didn't try, but I'm sure we can give it a try
later on.
Yep.
He's asking if you're eliminating or reducing the chance.
You're actually just reducing the chance of evasion.
You really can't go 100% on this.
I mean, you are going to get picked up sooner or later.
This is not an old, breaking IDS system.
Just don't go running into your networks and turn it off.
It's really nice to have it anyway.
Yes?
Does IDS detect anything, or just the processor usage
just goes way up?
He's asking if the IDS actually detects anything.
It really doesn't detect anything if you don't have
an anomaly peak filter.
And the CPU...
The CPU, it goes out a lot, but not really that much.
I mean, I actually seen it go to 65%, but that's it.
I never made it go to 100.
But that's because it's a small package.
No more questions?
No, I feel like that.
Yeah.
I mean, it's a very fast IDS.
You can actually start the server, and then the server
don't see it like this.
It's the same thing.
It's just a bit different.
And the server will take a few seconds like this.
But the IDS, you don't know that.
But the IDS will take a very long time.
And then the second one has to do with this as well.
And then you go up to the CPU, do something,
and the IDS will just go up.
OK.
That was a really long comment.
And I heard half of it.
But he's basically saying that you can actually
turn the problem around if you have a really fast IDS system.
What you can do is the IDS will do two things.
And the IDS will actually get the first one.
And the server will actually get only into the second one.
So you will corrupt the TCP reassembly.
Any other questions?
Please ask more.
That's it.
That's it?
You tested this out.
Sorry?
You tested it out.
Yeah.
You tested it in the process.
You tested it in the commercial.
I tested the solution.
I opened the solution.
And you're being, I guess, the same hardware.
The solution handled the saturation test.
What solutions handle saturation tests?
I tested it out.
NFR did really well.
Dragonfly is extremely fast.
It snored really nice, also real secure.
The best actually was in a far.
Sorry man, can you shut it out?
I'm really deaf.
So you're saying at what point would you start talking back?
That's a very quick answer.
At what point did you start talking back?
Man.
OK.
It depended on what kind of host I was running.
But Windows started...
dined around 15 megabit. OpenBSD did really well. He went all the way to 28, I think.
So it's just a matter of not really the ideas. Like I said before, it's not really the idea's
fault. It's right now I'm just attacking the hosts.
One more question here. Sure.
What about appliance? You talked about most, like, OpenBSD or Windows,
but there's a lot of appliance coming here, 650, something like that. Do you have a chance
to test it? No, I didn't have any around, you know.
I'm sorry. I didn't have any time to test them.
Sure.
Have you ever used, I guess they branded it Cisco Securing, yes?
Yeah.
He's asking if I tested it on the Cisco ideas. No. No, I haven't actually tested.
I mean, get a couple of ideas just to go back and go over it.
Unless you have a couple hundred thousand dollars, it's hard to do.
Oh, of course, the donations of hardware are really, really appreciated.
We're not limited by the bottlenecks of the host on that.
Yeah, but the router can bridge really nice. Yeah.
Any other questions? Because I see people leaving anyway.
No more questions?
The slides are going to be at this URL. If you have any questions, rants, flames, anything,
that will be my email. I do check it at least three times a day, so you will get a response back.
I can actually tell you about that. No spam, please.
No spam.
Just no spam, man.
Good job.
Hold on. That's it. Class dismissed.
